File name:	LARKSHARPSPOOFER.zip
Full analysis:	https://app.any.run/tasks/bff72926-9841-43b3-b63e-bfcaaf7e90c1
Verdict:	Malicious activity
Analysis date:	January 02, 2025, 15:25:06
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec python pyinstaller
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	5E5A8A54FC1283A440CE9D35DF48551D
SHA1:	2EBCE3A9C9F3A514F7F35E180400E7AB4DC12EDC
SHA256:	47F42570C1328798A903A976412A5D004FA38CA514F7262CD2FD3F80F55D02DA
SSDEEP:	98304:oxZ5IVvggs2lCJL3KK6NC6/lmNVD0Z9Nu6HYWFV5kAwtL7ex00CQVXe5plC964U5:EbZIDf89VLE4iF85yfepv

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:10:11 09:49:10
ZipCRC:	0x0a6cdeac
ZipCompressedSize:	10370472
ZipUncompressedSize:	10528569
ZipFileName:	LARKSHARP SPOOFER.exe


(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\LARKSHARPSPOOFER.zip
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6256) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\MSVCP140.dll		executable
		MD5:72F3D84384E888BF0D38852EB863026B	SHA256:A4C2229BDC2A2A630ACDC095B4D86008E5C3E3BC7773174354F3DA4F5BEB9CDE
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\libcrypto-1_1.dll		executable
		MD5:89511DF61678BEFA2F62F5025C8C8448	SHA256:296426E7CE11BC3D1CFA9F2AEB42F60C974DA4AF3B3EFBEB0BA40E92E5299FDF
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\mac.EXE		executable
		MD5:AED42FF110A595753BB2F83171727285	SHA256:A124932386DBCC5E6B5901F2460F68E7CFB1DFF1406CD899620E8880461C60FB
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\_bz2.pyd		executable
		MD5:A49C5F406456B79254EB65D015B81088	SHA256:CE4EF8ED1E72C1D3A6082D500A17A009EB6E8ED15022BF3B68A22291858FECED
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\_socket.pyd		executable
		MD5:4827652DE133C83FA1CAE839B361856C	SHA256:87832A3B89E2ADA8F704A8F066013660D591D9CE01CE901CC57A3B973F0858BA
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\_ctypes.pyd		executable
		MD5:291A0A9B63BAE00A4222A6DF71A22023	SHA256:820E840759EED12E19F3C485FD819B065B49D9DC704AE3599A63077416D63324
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\amigendrv64.sys		executable
		MD5:9ACCEBD928A8926FECF317F53CD1C44E	SHA256:811E5D65DF60DFB8C6E1713DA708BE16D9A13EF8DFCD1022D8D1DDA52ED057B2
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\microsoft.vbs		text
		MD5:AF1905DC8BD39D2D407F12FB08272BEB	SHA256:BB113A896A43CB1B03A8B57A85E8D46FAF39FE4AE4AF97581B264415EF32BD3B
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\select.pyd		executable
		MD5:E21CFF76DB11C1066FD96AF86332B640	SHA256:FCC2E09A2355A5546922874FB4CAC92EE00A33C0ED6ADBC440D128D1E9F4EC28
6712	LARKSHARP SPOOFER.exe	C:\Users\admin\AppData\Local\Temp\_MEI67122\VCRUNTIME140.dll		executable
		MD5:4A365FFDBDE27954E768358F4A4CE82E	SHA256:6A0850419432735A98E56857D5CFCE97E9D58A947A9863CA6AFADD1C7BCAB27C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
536	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1512	RUXIMICS.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
536	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1512	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
536	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1512	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	unknown
536	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1512	RUXIMICS.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	unknown
536	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	88.221.169.152	unknown
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
self.events.data.microsoft.com	20.50.201.200	whitelisted

General Info

LARKSHARPSPOOFER.zip

5E5A8A54FC1283A440CE9D35DF48551D

2EBCE3A9C9F3A514F7F35E180400E7AB4DC12EDC

47F42570C1328798A903A976412A5D004FA38CA514F7262CD2FD3F80F55D02DA

98304:oxZ5IVvggs2lCJL3KK6NC6/lmNVD0Z9Nu6HYWFV5kAwtL7ex00CQVXe5plC964U5:EbZIDf89VLE4iF85yfepv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Process drops python dynamic module

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

INFO

Manual execution by a user

Checks supported languages

The sample compiled with english language support

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Starts MODE.COM to configure console settings

PyInstaller has been detected (YARA)

The process uses the downloaded file

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings